Surf safely with Web Pal

It’s time to draw the line on surveillance.

Today nearly every commercial website infects our browsers with tracking files that report our activities back to parties we may not know or trust.

So we’re providing a way to draw that line:  Web Pal — a browser extension that blocks tracking and advertising*, eliminating the browser slowdowns caused by both.

Download the Web Pal here, from the Chrome Web Store
And click on the donate button to support our work.

Web Pal was developed for Customer Commons by Emmett Global, which provides privacy solutions to nonprofits. It combines Adblock Plus and Tampermonkey — two open source code bases — in one simple install that requires no additional work or maintenance. It also gives you a Customer Commons start page, which carries updates of news about surveillance and other topics of interest to Customer Commons members.

Here’s a video explaining the Web Pal:

We offer the Web Pal on Chrome. This gives you one safe browser with maximized protection, and the opportunity both to try out other protection systems on other browsers and to compare performance.  Here is a list of those systems, from ProjectVRM at Harvard’s Berkman Center for Internet and Society:

Abine † Do Not Track MeDeleteMeMaskMe PrivacyWatch: privacy-protecting browser extensions and services
AdBlock Plus Ad and tracking blocking.
Emmett † “An easy to install browser plugin that protects your privacy online”
Collusion Firefox add-on for viewing third parties tracking your movements
Disconnect.me † browser extentions to stop unwanted tracking, control data sharing
Ghostery † browser extension for tracking and controlling the trackers
Privacyfix † “One dashboard for your Facebook®, LinkedIn®, and Google® privacy. Blocks over 1200 trackers.”
PrivacyScore † browser extensions and services to users and site builders for keeping track of trackers
Privowny † – “Your personal data coach. Protect your identity/privacy. Track what the Internet knows about you.”

Note that these are maintained on a wiki and subject to change. In fact, we invite Customer Commons members to participate in ProjectVRM, and help drive development of these and other tools.

And, of course, we welcome feedback and suggestions for improving the Web Pal. And we encourage everybody to support development of all tools and services that make customers liberated, powerful and respected in the open marketplace.


* What Adblock Plus calls acceptable ads are passed through by default, but you can change it to block all ads. Just go to Chrome’s Windows menu and click down through Extensions / Emmett Web Pal / Options / Adblock Plus / Filter List. Then uncheck “Allow some non-intrusive advertising”.

Customer Commons Research: 92% of People Engage in Some Strategy to Hide Personal Data

We launched our first research paper today:  Lying and Hiding in the Name of Privacy (PDF here) by Mary Hodder and Elizabeth Churchill.

Our data supporting the paper is here:  Addendum Q&A and shortly we’ll upload a .xls of the data for those who want to do a deep dive into the results.

We all know that many people hide or submit incorrect data, click away from sites or refuse to install an app on a phone. We’ve all mostly done it.  But how many?  How much is this happening?

We’re at IIW today and of course, the age old dilemma is happening in sessions where one guy in the room says: “People will click through anything; they don’t care about privacy.”  And the next guy will say, “People are angry and frustrated and they don’t like what’s happening.”  But what’s real?  What’s right?

We conducted this survey to get a baseline about what people do now as they engage in strategies to create privacy for themselves, to try to control their personal data.

The amazing thing is.. 92 % hide, lie, refuse to install or click, some of the time. We surveyed 1704 people, and had an astonishing 95% completion rate for this survey. We also had 35% of these people writing comments in the “comment more” boxes at the bottom of the multiple choice answers. Also astonishingly high.

People expressed anger, cynicism, frustration. And they said overwhelmingly that the sites and services that ask for data DON’T NEED it.  Unless they have to get something shipped from a seller. But people don’t believe the sites. There is distrust.  The services have failed to enroll the people they want using their services that something necessary is happening, and the people who use the services are mad.

We know the numbers are high, and that it’s likely due to many not having a way to give feedback on this topic. So when we offered the survey, people did vent.

But we think it also indicates the need for qualitative and quantitative research on what is true now for people online. We want more nuanced information about what people believe, and how we might fix this problem.  Many sites only look at user logs to figure out what is happening on a site or with an app, and therefore, they miss this problem and the user feelings behind them. We want to see this studied much more seriously so that people no longer make the conflicting statements at conferences, so that developers say the user’s don’t care, so that business models are developed that think different than we do now, where sites and services just take personal data.  We want to get beyond the dispute over whether people care, to real solutions that involve customers and individuals in ways that respect them and their desires when they interact with companies.

 

 

 

Lying and Hiding in the Name of Privacy

Authors: Mary Hodder and Elizabeth Churchill

Creative Commons licenced: by-nc-nd CCLICENSE

©Customer Commons, 2013

Contact: Mary Hodder, hodder@gmail.com

Abstract

A large percentage of individuals employ artful dodges to avoid giving out requested personal information online when they believe at least some of that information is not required. These dodges include hiding personal details, intentionally submitting incorrect data, clicking away from sites or refusing to install phone applications. This suggests most people do not want to reveal more than they have to when all they want is to download apps, watch videos, shop or participate in social networking.

Keywords:  privacy, personal data, control, invasion, convergence

Download a PDF of the paper here.

 

Survey

Customer Commons’ purpose in conducting this research is to understand more fully the ways in which people manage their online identities and personal information. This survey, the first of a planned series of research efforts, explores self-reported behavior around disclosure of personal information to sites and services requesting that information online. We believe the results of this survey offer a useful starting point for a deeper conversation about the behaviors and concerns of individuals seeking to protect their privacy. Subsequent research will explore how people feel and behave toward online tracking.

This research is also intended to inform the development of software tools that give individuals ways to monitor and control the flow and use of personal data.

For this research project, Customer Commons in late 2012 surveyed a randomized group of 1,704 individuals within the United States (1,689 finished the survey, or 95%). Respondents were geographically distributed, aged 18 and up (see the appendix for specifics), and obtained through SurveyMonkey.com. The margin of error was 2.5%.

Respondents gave checkbox answers to questions and in some cases added remarks in a text box. (Survey questions and answers are in an addendum to this paper.)

Key Findings

Protecting personal data

This survey focused on the methods people use to restrict disclosure of requested personal information. Those methods include withholding, obscuring or falsifying the requested information.

Only 8.45% of respondents reported that they always accurately disclose personal information that is requested of them. The remaining 91.55% reported that they are less than fully disclosing. If they decide the site doesn’t need personal information such as names, birthdates, phone numbers, or zip codes, they leave blank answers, submit intentionally incorrect information, click away from the site, or — in the case of mobile applications, decline to install.­

Most people withhold at least some personal data. Specifically,

  • 75.7% of respondents avoid giving their mobile numbers
  • 74.8% avoid “social” login shortcuts such as those provided by Facebook or Twitter
  • 73.4% avoided giving sites or services access to a friend or contact list.
  • 58.3% don’t provide a primary email address
  • 49.3% don’t provide a real identity

The concept of trust was raised in 22% of the written responses explaining why people hide their information. Some examples include:

  • “I cannot trust a random website”
  • “I do not want spam and do not want to expose others to spam. I also don’t know how that information could be used or if the people running the site are trustworthy.”
  • “If I know why info is needed then I might provide, otherwise no way”
  • “I felt the need to cover my I.D. a little bit — like age and gender.  And I still withhold my social security #.”
  • “If I feel they don’t need it to provide a service to me they don’t get it even if I have to enter in fake info”
  • “Worries on identity theft and general privacy.”
  • “i would never give out my friends or and familys (sic) info ever”

Many respondents said sites and services request more data than required. Others suggested that providing requested information would result in an increased risk to their security. More results:

  • When the 71% of respondents who reported withholding information were asked why, they said they didn’t believe the sites needed the information. Specifically,
    • 68% reported they either didn’t know the site well when they withheld their data or didn’t trust the site.
    • 45% of those who felt they knew the site or service well still withheld information.

Respondents lied about various line items as a strategy to protect their privacy. For example, 34.2% intentionally provided an incorrect phone number, and 13.8% provided incorrect employment information. Here are some reasons they gave:

  • “I didn’t want them to have all my information, or feel it was necessary.”
  • “I have obscured various information so that I would not have further contact with a vendor who won’t leave me alone”
  • “Faking it is the best to avoid unwanted contact”
  • “Sometimes you just want to use a service without them knowing every thing about you.”
  • “I don’t like websites to have very much information on me. I regularly give out spam email addresses, bad birthday dates, and bad location information.”
  • “Registering for many mundane website often requires some pretty detailed personal info. I generally fudge this. None of their business”
  • “Because information is so easily found and transferred on the internet I do provide false info quite often to protect my identity.”

Even those who had never submitted incorrect information made statements such as:

  • “Have never made up info – just ignored requests :-)”
  • “i just don’t use that website”
  • “I have an email address that is purly (sic) for junk mail. I use this email address for websites that request my email address and then I go into that email and delete all email monthly.”
  • “I have never given incorrect information, but I have thought about it.”
  • “I don’t lie, but I omit as I feel appropriate.”

 

Going with the flow

Correcting already obscured or falsified information appears to be too much of a chore. Specifically,

  • Over 50% have rarely or never corrected data they submitted incorrectly
  • 30% correct their data “sometimes.” Of that 30%,
    • 55% said a purchase required correct information
    • 56% had a growing feeling of comfort with the site or service
    • 46% cited the ability to realize new benefits from the site with corrected information
    • 30% said they noticed others’ incorrect data at Facebook or other social sites, or in phone applications, and —
      • 80% of this group assumed that the data was falsified as a way to protect privacy
      • 40% believed the incorrect data was there to mislead marketers
      • 12% believed secretive associates were trying to mislead them
    • 13% believed services always needed correct personal information
    • 75% believed the services needed it only sometimes
    • 12% said it was never needed.

Respondents also believed that other users of these services always needed or expected correct personal data about each other 27% of the time, whereas 23% said it was sometimes needed, and 48% said it was never needed.

 

Privacy online

The results of this survey support the hypothesis that people limit, refuse to give or obfuscate personal information in an attempt to create a measure of privacy online.

On July 30, 2010, in the first article in its “What They Know” series, The Wall Street Journal reported, “One of the fastest-growing businesses on the Internet … is the business of spying on Internet users. The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.”[i]

Adds Doc Searls, in The Intention Economy, “Tracking and ‘personalizing’—the current frontier of online advertising—probe the limits of tolerance. While harvesting mountains of data about individuals and signaling nothing obvious about their methods, tracking and personalizing together ditch one of the few noble virtues to which advertising at its best aspires: respect for the prospect’s privacy and integrity, which has long included a default assumption of anonymity.”[ii]

This survey showed one result of this system. Respondents expressed a general lack of trust in their relationships with online businesses. Many feelings ran strong. Here are some of the comments:

  • “Scary world out there, and I am a bit angry about the fact that all these website ‘track me’ as if that is OK, and then they sell MY data, obviously making money in the process.  How is that OK or even legal?  Don’t I control MY information?  Apparently not…”
  • “So if I think it might be ‘harmful’ to give out info, I don’t do it.”
  • “I want cookies outlawed 🙁
  • “My ex-husband was abusive and has stalked me. I don’t need to let the greedy sellers of my personal information draw him a map to my front door.”
  • “While I doubt I have any real protection of privacy, I have a desire to try to send a message that I want my right to protection of privacy. I regret how much we as a society have lost to the powers of marketing.”
  • “I don’t trust the security procedures of most companies. Security costs money, which cuts into profits, thus most companies have limited incentive to protect PII from cyber criminals.”
  • “The web is far less secure than commonly known.”
  • “Just as I have disconnected my land line because of a flood of unwanted calls, I refuse to give online/ access information for the same reason.”

These survey responses show people resort to withholding data or submitting false data to avoid feeling exposed online. When deciding whether to share personal information, the majority of respondents doubt that sites or services need to collect more than a minimum of obviously necessary personal data.

Conclusion

When people withhold personal data, it is to create a sense of privacy and control of their personal lives.

People are afraid or distrustful of sites, services and phone apps that request their personal data. They withhold or falsify information because they do not believe the sites need their data, and because they do not want to disclose information that might lead to spamming or other intrusions. Moreover, the techniques that people employ to preserve their sense of privacy online are largely improvised, informed by fear, and based on their subjective evaluation of entities that solicit personal information.

For the sake of privacy, people contribute to and tolerate the presence of incorrect personal data online, and attempt to correct it only when they see the clear upsides of accuracy. And, despite the failure of businesses and other organizations to convince users of the need to provide personal details beyond an email address, most users remain comfortable disclosing additional personal data only with those they know and trust.

Research Funding Grant

This research project was funded with a grant from CommerceNet, a not-for-profit research institute working to fulfill the potential of the Internet since 1993.

Customer Commons

Customer Commons is a not-for-profit working to restore the balance of power, respect and trust between individuals and the organizations that serve them, especially in the online world. We stand with the individual and therefore do not take contributions from commercial entities.

ADDENDUM:  Questions and Answers

Click here to see the complete questions, answers and written answers offered by people to provide additional information.


[i] Julia Anguin, “The Web’s New Gold Mine: Your Secrets” The Wall Street Journal, July 30, 2010. http://online.wsj.com/article/SB10001424052748703940904575395073512989404.html

[ii] Doc Searls, The Intention Economy: When Customers Take Charge. (Cambridge, Massachusetts: Harvard Business Review Press, 2012). P. 28.

Meet Omie: a truly personal mobile device

This is Omie: OMIE-blank-slate-pcloud-in-corner

She is, literally, a clean slate. And she is your clean slate. Not Apple’s. Not Google’s. Not some phone company’s.

She can be what you want her to be, do what you want her to do, run whatever apps you want her to run, and use data you alone collect and control.

Being a clean slate makes Omie very different.

On your iPhone and iPad you can run only what Apple lets you run, and you can get only from Apple’s own store. On an Android phone you have to run Google’s pre-loaded apps, which means somebody is already not only telling you what you must do, but is following you as well.

Omie uses Android, but bows to Google only in respect of its intention to create an open Linux-based OS for mobile devices.

So Omie is yours, alone. Fully private, by design, from the start.

At Omie’s heart is your data, in your own personal cloud — not Google’s cloud or Apple’s cloud or Amazon’s cloud or the cloud of any other silo’d service.

Think of your personal cloud as a place for your stuff. Right now most of the data you use in the online marketplace — what should be your stuff —  really isn’t. It’s out in clouds that aren’t yours: one for every Web site and service you deal with.

Consider your wallet — the one in your pocket or purse. That’s your wallet. Not Google’s or Paypal’s. Yet right now Google, Paypal and a dozen other companies think the wallet you carry online should be theirs. Wouldn’t it be better to carry all their wallets inside one that’s yours alone? Omie  is desgned to make that possible, simply because she is yours alone.

Consider your shopping cart. Today that’s not even imaginable, because eevery shopping cart you’ve ever seen belongs to a company. Amazon, Ebay, Etsy, Walmart and the rest of them all have their own shopping carts for you. Why shouldn’t you have your own shopping cart, where you can see all the stuff you’ve almost-bought from all those online stores? With Omie you can at least imagine that, because Omie is yours. And imagining is the first step toward making.

So: what apps would you like Omie to run? Once we get the first few nailed down, we’ll crowdsource funding for developing both Omie and her first apps, or at least the specs for them.

To make that easy, here are just two requirements:

  1. Each app must be a kind that can only run on a device that is the owner’s alone. It can’t be one that only a corporate platform-owner (such as Google or Apple) can provide.
  2. Each app must rely first and foremost on data in the owner’s personal cloud.

The box we need to think outside of is the one that starts with a company. Here we’re starting with you.

Omie should be an instrument of control — by you. That’s why we’re stepping forward with it. Our job at Customer Commons is to stand on the side of the customer. That means we want apps that work for the customer first, and not just the seller. We need something solid to hold at our end of the demand chain — rather than, once again, to hold a device that serves as the far end of the supply chain’s whip.

We’ll bring up Omie at IIW. If you’re one of the 250 people here, come to the Omie session and let’s talk about where to go with the project. If you’re not here, put your thoughts and requests below.

Enhanced by Zemanta

Wallets are personal

wallet-smallA lot of big companies are eager to get their hands in your pockets — literally. They want your mobile phone to work as a digital wallet, and they want the digital wallet app you use to be theirs.

Naturally, this looks like it should be a big business — and to some degree it is already. But it also hasn’t met promotional expectations. This became clear a few days ago, when comScore released Digital Wallet Road Map 2013, a $4995 report on the digital wallet business. In a press release highlighting the report’s findings, Andrea Jacobs, comScore Payments Practice Leader, said “Digital wallets represent an innovative technology that has not yet reached critical mass among consumers due to a variety of factors, including low awareness and a muddied understanding of their benefits.” Here’s how the release unpacks that:

The current digital wallet landscape remains fragmented among providers because of low consumer adoption outside of PayPal, with only 12 percent of consumers claiming to have used a digital wallet other than PayPal. However, study results indicated that the digital wallet market opportunity could eventually reach 1 in 2 consumers as consumers become more aware of the offerings and educated on their benefits.

Consumer Awareness and Usage of Digital Wallet Offerings
November 2012
Source: comScore Digital Wallet Road Map 2013
Digital Wallet Percentage of Total Respondents Aware of Digital Wallet Percentage of Total Respondents Who Used the Digital Wallet
PayPal 72% 48%
Google Wallet 41% 8%
MasterCard PayPass Wallet 13% 3%
Square Wallet 8% 2%
V.me by Visa 8% 2%
ISIS 6% 1%
Lemon Wallet 5% 1%
LevelUp 5% 2%

One clear barrier to use of digital wallets is that the concept is often difficult to convey and prone to misinterpretation. Even after being asked to review the websites of particular digital wallets, respondents across all wallet brands still scored an average of just 45 percent in terms of demonstrated level of understanding.

Here’s the problem: wallets are personal. Even if you have a wallet with a brand name on it (say, Gucci or Fossil), it isn’t their wallet. It’s yours. What you keep in it, and how you use it, are none of their business. In fact, those companies would never think of making it their business, because all they’re providing you is a place to put your credit cards, your cash, or whatever other flat things you feel like carrying around in your pocket or purse.

So far, all the digital wallets out there are not yours. They belong to some company. You merely use the app. The wallet is their business, not yours. In this respect they aren’t much different than credit cards or various loyalty cards, which are things you put in your wallet; not the wallet itself. The wallet itself should be agnostic, if not oblivious, to what you put in there. It should be like a toolbox, where you can store lots of different tools, made by lots of different companies, made for serving different purposes.

All the digital wallet companies in comScore’s chart have isolated, proprietary and silo’d ways of providing payment benefits to users. Imagine buying a tool box from Sears that could only hold its own brand of tools, which would only work with devices from companies that were partners of Sears. That’s what we have with digital wallets so far. It’s the same problem we had with online systems (AOL, Compuserve, Prodigy, etc.) before the Internet came along. They were closed silos.

The Net works because it is a general purpose system. It isn’t run by any one company. Likewise, PCs are also general purpose systems. The company making them doesn’t insist that it only works with certain other partner companies. In that respect it’s open, just like the wallet in your pocket or purse. Smartphones, on the other hand, are general purpose to a more limited degree. Apple tells you what apps can and can’t run on your phone. Google makes sure some of  its own apps (such as its wallet) run only on Android phones — or run better on Android than on Apple’s or other companies’ phones (as it did for years with Google maps for Apple).

I suggest that the digital wallet might be best thought of as something that’s part a general-purpose thing called the personal cloud.

Your personal cloud is your personal space, which you run for yourself in the networked world. In it you define the ways that your personal data interacts with the world of things, and of services from companies and other entities. That may sound complicated, but it’s actually no different than the personal space you call your house, your car, and your body. In fact, you can think of a personal cloud as something akin to all three, but in the networked world rather than in the physical one. For more on this read Phil Windley, starting here; and follow what Kuppinger-Cole says about Life Management Platforms (which I recently visited here).

So, to sum up, the main thing wrong with digital wallets today isn’t what they do. It’s that they are called “wallets.” Instead they should be called what they really are, which is payment services. (Yes, they do more, but the main thing they do is facilitate transactions.)

The notion that something so personal as a wallet should be provided for you, as a service, by a company, is typical of the calf-cow thinking that has dominated computing for the duration. There is nothing wrong with this, if it’s still 1995. But it’s now 2013, and it’s time we moved on. And, to do that, I’d like to see real digital wallets — personal ones — come up as a feature of personal clouds. So, let the conversation begin. Then the development.

Bonus link: Google’s Wallet and VRM.

 

 

 

 

 

The Personal Revolution

individualWhile the history of computing and communications often appears to be one led by big entities in business and government, the biggest revolution has actually been a personal one.  Each of us, as individuals, have acquired abilities that were once those of organizations alone — and have done far more with those abilities than the big players ever could — for those big players as well as for ourselves.

It started in the early ’80s, when the IBM PC became host to thousands of new applications for individuals. Personal computers suddenly proved to be a far more fertile ground for application development and new ueses than were the old corporate mainframes and minicomputers. Computing was no longer only about calculating and data processing. It was about everything one could imagine. The result was a profusion of new capabilities for individuals that also brought great benefits to organizations of all kinds and sizes.

A little more than a decade later, in the mid-’90s, the Internet did for communications what the PC did for computing. It gave individuals abilities that went far beyond those enjoyed by big organizations anywhere. Thanks to the Net, anybody could connect with anybody (or anything), anywhere in the world, using protocols that nobody owned, everybody could use, and anybody could improve. Even though there were many owned networks within the Internet, none governed the whole, and the result was a system that put every connected thing at zero functional distance from every other thing, at costs that could often be treated as zero. The positive economic and social externalities of the Internet today are beyond calculation. Again, as with PCs, this owes to new power in the hands of individuals that proved good for organizations as well.

Then in the late ’00s, smartphones and tablets put personal computing and communications advances — won by the PC and the Internet — into devices that fit in pockets and purses, running on platforms that invited millions of new applications. Once again, the increase in personal power and freedom proved essential to organizations as well. Initial resistance to BYOD (bring your own device) has ended, and companies now develop their own apps for employees and customers to use on their smartphones and tablets.

The upward trend in personal empowerment will move next to the “Internet of things,” as more of those objects and devices become equipped with computing and communication abilities — and as individuals gain the power to combine and program interactions between those things and the many services available through APIs ( application programming interfaces) and apps. Each of us will be able, either by ourselves or with the help of “fourth parties” (ones that work for us, as do brokers and banks) to control our identities, secure our privacy, and manage our many interactions in the world, without having to rely on any one platform, vendor or other enabling party. Far better economic signaling will move in both directions between demand and supply. Genuine, trusting and productive relationships will develop, and earned loyalty will prove far more useful than the coerced kind. In sum, the market will discover that free customers and citizens will prove more capable and productive than captive ones, and that this will be good for both business and society.

Progress in this direction will not be easy or even. All through the history just outlined, there have also been constant efforts to contain and limit what individuals can do with their computing and communications abilities. Large incumbent players have worked to create dependencies from which we cannot escape, and to resist competition in open markets. In spite of the many advances they have brought to the market’s table, phone and cable companies today still operate actual or virtual monopolies, and have been working from the start — aided by captive legislators and regulators — to subordinate the Internet’s boundless positive economic externalities to their own legacy business interests. Copyright and patent absolutists have also pushed successfully for laws and regulations that thwart or stop innovation and growth outside their own virtual castles.

And now, in many countries that value neither free markets nor free citizens, efforts are afoot to move Internet “governance” (an oxymoron from the angle of the Internet’s founding protocols) from organizations such as ICANN to the ITU (International Telecommunications Union, now part of the U.N.), where they can partition the Net along national lines, censor it (as in China today), and impose tariffs on data traffic across borders — enriching governments at great expense to economic growth and prosperity, and the welfare of citizens.

Yet the computing, communications and programming genies continue to do their magic for individuals and the organizations they comprise and support. Those genies will not go back in their old bottles. Thus the way to bet in the long run is on personal and economic freedom, and the general prosperity that arises from both. The only way to make that bet pay off, however, is to work on the side of individuals and the developers that empower them. That’s our job here at Customer Commons, and we invite you to join us in that work.

Free vs. Followed

grasped hand The fight between the free market and the followed market is about to begin. And the way to bet is on the free market, because it’s what we know works best. Also because the followed market is nuts.  It only persists because it’s normative at the moment, and an enormous sum of investment is going into improving what’s most nuts about it: following people around and constantly guessing at what they might want (or trying to make them want something some algorithm thinks it might be able to make them want).

Let’s look at those norms a bit more closely. In the followed market, we —

  • Maintain separate logins and passwords for every site and service with which we do business, which might number in the hundreds
  • “Agree” to terms of service and privacy policies that we don’t bother to read because we have no choice but to accept them if we want to use the offered services
  • Acquiesce to stalking by sites and their third parties, even as we travel out of those sites and around the Web

In the physical world where the free market remains defaulted, you are free to be who you say you are (or to remain anonymous — that is, nameless in the literal sense), and to arrive at whatever terms are agreeable to you and the sellers you engage, with minimal coercion. This is what we enjoy when we walk through a bazaar, down Main Steet, or through a shopping mall. We don’t have to become a member of Nordstrom, or Trader Joe’s, The Container Store, or the corner grocer, to shop there, or to buy anything from them. And, when we do, we usually assume that we are not being tracked by the store after we leave.

In the followed market, we are free to choose between captors who make all the rules. Our personal identity is the separate one we have with each of them, and which they administrate. Our relationship with each of them is fully contained within their separate silo’d systems. Worst of all, we are stalked after we leave, as a matter of course. “Social” sites such as Facebook aid in surveillance by making it easy for us to spill all kinds of personal data — about ourselves and our contacts — when we “login with Facebook” elsewhere.

And its getting worse.

On July 30, 2010, The Wall Street Jounal inaugurated its What They Know series (http://wsj.com/wtk) with The Web’s New Gold Mine: Your Secrets, by Julia Angwin. Here were the key findings she reported:

• The study found that the nation’s 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. A dozen sites each installed more than a hundred. The nonprofit Wikipedia installed none.

• Tracking technology is getting smarter and more intrusive. Monitoring used to be limited mainly to “cookie” files that record websites people visit. But the Journal found new tools that scan in real time what people are doing on a Web page, then instantly assess location, income, shopping interests and even medical conditions. Some tools surreptitiously re-spawn themselves even after users try to delete them.

• These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months.

The new technologies are transforming the Internet economy. Advertisers once primarily bought ads on specific Web pages—a car ad on a car site. Now, advertisers are paying a premium to follow people around the Internet, wherever they go, with highly specific marketing messages.

On the 17th of this month, in Online Tracking Ramps Up, Julia begins,

Online tracking on 50 of the most-visited websites has risen sharply since 2010, driven in part by the rise of online-advertising auctions, according to a new study by data-management company Krux Digital Inc.

The average visit to a Web page triggered 56 instances of data collection, up from just 10 instances when Krux conducted its initial study, in November 2010. The latest study was conducted last December.”The main reason for the difference is live online auctions of data about you:

Krux estimated that such auctions, known as real-time bidding exchanges, contribute to 40% of online data collection.In real-time bidding, as soon as a user visits a Web page, the visit is auctioned to the highest bidder, based on attributes such as the type of page visited or previous Web browsing by the user. The bidding is done automatically using computer algorithms.

On June 26, the Journal published On Orbitz, Mac Users Steered to Pricier Hotels, by Dana Mattioli, who writes,

The Orbitz effort, which is in its early stages, demonstrates how tracking people’s online activities can use even seemingly innocuous information—in this case, the fact that customers are visiting Orbitz.com from a Mac—to start predicting their tastes and spending habits.

Imagine walking with a friend down 5th Avenue in New York and attempting to have a conversation about the totally different scenes both of you see when you look into the stores you pass or enter together. One of you sees hats in a store window while the other sees shoes. One sees a door where the other sees a wall. One sees a counter of candies while the other sees an aisle of garden tools. When one of you pauses to look at the cosmetics counter, the colors of lipstick suddenly change, because the store — or its third parties — know it’s you and start making guesses about what you might want, or that the companies paying for shelf space in the store hope to make you want. When the other looks at the store directory, she finds that the departments have been re-arranged. Now the shoe department is to her right when it used to be to the left. The dress shoes are now in the back, and all of them are red and black. Athletic shoes are now in front, because she paused to look in the window of a sporting goods store back up the street.

Whether or not this kind of personalization works is beside a more essential point: that in today’s online marketplace we are being followed constantly, with at most only our tacit approval. Without the conscious involvement of fully human customers, operating as free and independent actors possessing full agency, the online environment has gone insane. That is, without coherence, or grounding in reality. It makes sense only to the vendor’s side of the marketplace, and even there it’s not fully together. Writes Julia Angwin in her most recent story,

More than half the time, Krux found that data collectors were piggybacking on each other. For example, when a user visited a website that had code for one tracking technology, the data collection would call out to and trigger other tracking technologies that weren’t embedded on the site. As a result of such piggybacking, websites often don’t know how much data are being collected about their users.

‘It may be the first medium where the buyers have more information about the price, the value and the amount of inventory than the seller,’ said Krux President Gordon McLeod.

In the free market, as it has been understood since our ancestors first traded shells for seeds, certain things are stable and well understood. These include not only the physical nature of locations, but social norms and protocols for interacting with each other, which begin with the assumption that the other party is a free, independent and sovereign being who controls what is public and what is private about themselves. (Which is why, for example, we tend to wear clothes in public and live in enclosed spaces.)

In the free market it would be absurd for a guy from a store to put a hand in your pocket and hold onto your leg while you walked around, saying “Don’t mind me. I’m just here to see what you’re up to. Actually I don’t want to know your name, but just to track what your body is doing so you can get the best advertising and product offerings, based on what some machines think at the moment would be best for you and for us. It’s for your own good.” Or, more literally, to do the same with an invisible robot tick that attaches to your body and sucks out your data. But in the followed market, that stuff is normative in the extreme. And it works well enough, so far, at least for the advertisers and their intermediaries, that it persists in spite of its absurdities.

The followed market will fail not only because it is absurd and offensive to human sensibilities, but because it is not as effective as the kind of simple human interactions we were all built for in the first place. We don’t have those online yet — not in the commercial space comprised of billions of competing silos. But we will. Count on it. The Web we know is just seventeen years old (dating back to the first graphical browsers in 1995).

In a general way, what the free market still lacks online is a build-out of capabilities on the customers’ side to match the build-out of capabilities on the vendors’ side. That’s what ProjectVRM has been working toward for the past six years. The result so far is a growing list of developers, projects and prospects for major breakthroughs in customer capacity to assert independence, establish privacy boundaries, and deal with vendors as self-empowered equals and not as vendor-defined and -controlled dependents.

Customer Commons’ mission is to preserve and improve the free market, both online and off, by helping customers become free and independent participants in that market. So, while ProjectVRM remains focused on development and developers, Customer Commons is focused on putting those developments to work for customers — and for giving customers a way to participate in that development, and to lead it forward.

And we welcome your help with that.

Privacy is personal

In the physical world, we govern privacy with clothes and walls, buttons, zippers, windows and doors. (See Clothing as a privacy system.)

We also see privacy as a thing that can be possessed. That’s the framing for statements like, “Give me some privacy, and “Don’t take away my privacy.”

On another hand (there can be many), we also see privacy as a state of being: “This is private.” “Keep this private.”

The American Heritage Dictionary defines privacy as “1. a) The quality or condition of being secluded from the presence or view of others; b) The state of being free from unsanctioned intrusion: a person’s right to privacy”; and  “2. The state of being concealed; secrecy.” The Collins English Dictionary (at that same link) adds one more: “3. (Philosophy) Philosophy the condition of being necessarily restricted to a single person.” The boldface is mine. I like that one. (And not just because I majored in philosophy, back in the decade.)

That’s the noun. To mine the derivational vein, we must also dig the adjective. Here’s American Heritage on private:

  1. a. Secluded from the sight, presence, or intrusion of others: a private hideaway; b. Designed or intended for one’s exclusive use: a private room.
  2. a. Of or confined to the individual; personal: a private joke; private opinions.private road b. Undertaken on an individual basis: private studies; private research. c. Of, relating to, or receiving special hospital services and privileges: a private patient.
  3. Not available for public use, control, or participation: a private club; a private party.
  4. a. Belonging to a particular person or persons, as opposed to the public or the government: private property. b. Of, relating to, or derived from nongovernment sources: private funding. c. Conducted and supported primarily by individuals or groups not affiliated with governmental agencies or corporations: a private college; a private sanatorium. d. Enrolled in or attending a private school: a private student.
  5. Not holding an official or public position: a private citizen.
  6. a. Not for public knowledge or disclosure; secret: private papers; a private communication. b. Not appropriate for use or display in public; intimate: private behavior; a private tragedy. c. Placing a high value on personal privacy: a private person.

Here’s what it says about deep sources for private (and also for privacy): “Middle English privat from Latin privatusnot in public life, past participle of privare, to release, deprive, from privussingle, alone… Indo-European roots.”

Thus, here in the everyday vernacular of the physical world, privacy is well understood, and has been since before we had History. But “here” now also constitutes the virtual world, where you are equally present, and reading this text right now. In the physical “here,” your privacy is provided by what you’re wearing and where you locate yourself. Your choices in the virtual “here” are not so plain and clear. Not yet, anyway. At best we can only hope that the stuff we try to keep private will stay that way. And it is best lately to hope less than you used to, because there is a large and growing business in abusing your privacy in the virtual world. That business is advertising. For that business, your privacy is a problem that can only be solved with a promise: Trust us. We not only respect your privacy, but are in business to help you. Buy stuff, that is.

Credit where due: the Internet Advertising Bureau (IAB) is deeply concerned about privacy, and requires that its members adhere to a raft of privacy principles. Here’s one: “Businesses collecting or using information about individual consumers for interactive advertising purposes should provide choice, where appropriate, to that individual. Consumers also should receive relevant education regarding cross-industry opportunities to opt out of the collection or use of individual information or other methods to exercise choice.”

However well-intended this might be, it’s a window fan blowing against the storm of wealth-creation that the “interactive” advertising business has become. On Friday, Facebook went public with a valuation exceeding $100 billion. Its business is advertising. So is Google’s, with a market cap hovering around $200 billion. The goal for both companies is to “personalize” advertising as much as possible. This requires making their machines learn all they can about you, whether you know it or not. And, for all their talk about providing choices, they’d rather you not shut out their tentacles or cover their prying eyes.

If you want to operate on the Web today, it is almost impossible to avoid either company, or the thousands of other that are in the business of knowing as much as possible about you, so that information can be sold to advertisers and their agencies. Wanting to maximize the sum and quality of information about individuals is at absolute odds with those companies’ stated commitments to privacy — as well as individuals’ own sense, based on experience in the physical world, of what privacy is and how it should work.

Did you know that, when you go to a site that has a Facebook “like” button, Facebook will know you were there, even if you don’t click on the button? Also, says Consumer Reports, “Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge.” And, adds Abine, “You know those Facebook Like and Connect buttons you see on almost every website?  They’re not just for sharing: they’re tracking devices.  Facebook buttons can track both members and non-members of Facebook, even if you never click them.  They transmit your clicks, browsing history, IP address, and more to Facebook.”

Is Facebook going to stop doing that kind of thing on their own, when they believe it’s also the very thing that makes them the most money?

Not surprisingly, Consumer Reports’ parent, Consumers Union, wants a policy solution. That is, new laws that restrict the ability of Facebook and others to, for example, track us without our permission. Meanwhile CU has also put up the HearUsNow site, as a way for individuals to demand better treatment by Facebook. The White House has also issued a Privacy Bill of Rights, which offers guidelines for lawmaking.

In his landmark book, Understanding Privacy, Raymond Solove details the many ways that privacy is nearly impossible to pin down in legal argument, much less in policy. So, while he notes in the first sentence of his first chapter, “Supreme Court Justice Louis Brandeis pronounced it ‘the most comprehensive of rights and the right most valued by civilized men,'” he later adds that “legal scholar Arthur Miller has declared that privacy is ‘difficult to define because it is exasperatingly vague and evanescent.'” Solove’s own case is that “the value of privacy must be determined on the basis of its importance to society, not in terms of individual rights.” He adds, “the value of privacy in a particular context depends on the social importance of the activities it facilitates.” The prescriptive chapters of the book are devoted to laying out a taxonomic framework for understanding privacy problems. Because, sensibly, “A lucid, comprehensive, and concrete understanding of privacy will aid the creation of law and policy to address privacy issues.”

Which is fine, if you think corporations and governments are the only actors in the marketplace with full agency. That is, with the ability to act, and to cause effects. As individuals on the Web, we don’t have that ability today. (Imagine having a website agree to your terms and conditions, rather than the reverse.) One symptom of that is the call for legislative protection, which we wouldn’t have if we had full agency. So, the thinking goes, “We can’t protect ourselves, so the government should step in.”

I’m against that, at least for now, because I don’t believe we’ve done enough to empower individuals on their own. I’d rather we work on equipping individuals to enjoy full agency, as independent and sovereign beings, in the online marketplace as well as in the offline one. Or, in other words, to break out of the calf-cow system (called “client-server”) that we’ve been stuck in since 1995. I believe the personal nature of privacy, as it has been understood plainly since the late Pleistocene, requires that.

Some of the tools are already there. Public key cryptography, for example. Link contracts in XDI. The stuff Alec Muffett starts talking about in Slide 47 of his presentation here. Same goes for much of the work being done by the ProjectVRM development community. As ordinary folk we don’t need to understand the technologies behind all that work, but it helps to know that we’re not starting from zero.

At the very least we need some perspective here, based on the fact that we have hardly begun to explore what it will take to create physical-grade privacy on the Net. And that as we do, we need to keep it personal. That’s where privacy is best understood and measured. There is also cause and effect. If you and I don’t have privacy online, society won’t either.